Cyber Security R&D: A Personal Perspective Ravi Sandhu Executive Director Professor of Computer Science Lutcher Brown Chair in Cyber Security May 2019 ravi.sandhu@utsa.edu www.ics.utsa.edu www.profsandhu.com © Ravi Sandhu World-Leading Research with Real-World Impact!
Excellence in graduate-level sponsored research ICS Facts and Figures MISSION Excellence in graduate-level sponsored research PAST SYNOPSIS Founded: 2007 PhDs graduated: 25 External funding raised: $22M CURRENT STATUS Faculty affiliates: 20 College of Sciences: 8, Engineering: 5, Business: 5, Education: 2 Includes 6 with research fully managed through ICS Current PhD students: 32 College of Sciences: 22, Engineering: 7, Business: 2, Education: 1 Domestic: 17 Foreign: 15 Current non-PhD students: 8 Domestic: 7 Foreign: 1 © Ravi Sandhu World-Leading Research with Real-World Impact!
Holistic Cyber Security Research Objectives POLICY ATTACKS What? Why? Enforce Enable Defend Respond PROTECT DETECT Complement How? Mechanisms © Ravi Sandhu World-Leading Research with Real-World Impact!
Holistic Cyber Security Research Objectives POLICY ATTACKS What? Why? Enforce Enable Defend Respond Requires Institute Level Effort World Class Laboratories Global Collaborative Connections PROTECT DETECT Complement How? Mechanisms © Ravi Sandhu World-Leading Research with Real-World Impact!
ICS Major Research Thrusts APPLICATION DOMAINS Cloud Computing, Internet of Things (IoT), Social Media, Big Data, Mobile Platforms, Enterprise, Insider Threat, Scientific Infrastructure, Smart Homes, Smart Cities, Smart Cars etcetera WORLD CLASS LABS FlexCloud Flex Farm FOUNDATIONAL TECHNOLOGIES Access Control, Policy, Malware, Forensics, Blockchain, Artificial Intelligence, Machine Learning, Data Provenance, Formal Methods etcetera Goal: Broaden and Deepen © Ravi Sandhu World-Leading Research with Real-World Impact!
World-Leading Research with Real-World Impact! Security Objectives INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure © Ravi Sandhu World-Leading Research with Real-World Impact!
Covers privacy and intellectual property protection Security Objectives USAGE purpose Covers privacy and intellectual property protection INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure © Ravi Sandhu World-Leading Research with Real-World Impact!
World-Leading Research with Real-World Impact! Security Objectives USAGE purpose USAGE INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure © Ravi Sandhu World-Leading Research with Real-World Impact!
with non-Security Objectives Cannot have it all Need to reconcile with non-Security Objectives Cost Convenience Growth CIAU Safety © Ravi Sandhu World-Leading Research with Real-World Impact!
World-Leading Research with Real-World Impact! Cyber Security Goal Enable system designers and operators to say: This system is secure This system is as secure as it needs to be and no more Not attainable Many successful examples © Ravi Sandhu World-Leading Research with Real-World Impact!
Cyber Security is Dynamic “My dear, here we must run as fast as we can, just to stay in place. And if you wish to go anywhere you must run twice as fast as that.” ― Lewis Carroll, Alice in Wonderland © Ravi Sandhu World-Leading Research with Real-World Impact!
Cyber Security Big Trends Single enterprise Cyber only Configured Static Experts Fractured Multiple interacting parties Cyber physical Automated Adaptive Naïve users Seamless © Ravi Sandhu World-Leading Research with Real-World Impact!
Cryptography Symmetric Key Cryptography, 1977 Asymmetric Key Cryptography, 1996 BlockChain Applications, ???? © Ravi Sandhu World-Leading Research with Real-World Impact!
Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? © Ravi Sandhu World-Leading Research with Real-World Impact!
Discretionary Access Control (DAC) Core concept: Custodian of information determines access Core drawback: Does not protect copies Therefore OK for integrity but not for confidentiality © Ravi Sandhu World-Leading Research with Real-World Impact!
Mandatory Access Control (MAC) Top Secret Secret Confidential Unclassified can-flow © Ravi Sandhu World-Leading Research with Real-World Impact!
Mandatory Access Control (MAC) Core concept: Extend control to copies by means of security labels Core drawback: Covert channels can make copies that bypass this control © Ravi Sandhu World-Leading Research with Real-World Impact!
Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? © Ravi Sandhu World-Leading Research with Real-World Impact!
Role-Based Access Control (RBAC) Primary-Care Physician Specialist Physician Physician Health-Care Provider © Ravi Sandhu World-Leading Research with Real-World Impact!
Role-Based Access Control (RBAC) Core concept: Roles determine everything Core drawback: Roles are a natural concept for human users But not so natural for: Information objects IoT things Contextual attributes © Ravi Sandhu World-Leading Research with Real-World Impact!
Role-Based Access Control (RBAC) Fundamental theorem of RBAC: RBAC can be configured to do DAC RBAC can be configured to do MAC © Ravi Sandhu World-Leading Research with Real-World Impact!
Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? © Ravi Sandhu World-Leading Research with Real-World Impact!
Attribute-Based Access Control (ABAC) Operation Access Decision? Yes/No Actor Target Context © Ravi Sandhu World-Leading Research with Real-World Impact!
Attribute-Based Access Control (ABAC) Core concept: Attributes determine everything Core drawback: Flexibility at the cost of complexity No fixed access decision rule © Ravi Sandhu World-Leading Research with Real-World Impact!
Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? © Ravi Sandhu World-Leading Research with Real-World Impact!
Access Control PEI Layers Idealized Enforceable (Approximate) Codeable © Ravi Sandhu World-Leading Research with Real-World Impact!
ICS Major Research Thrusts APPLICATION DOMAINS Cloud Computing, Internet of Things (IoT), Social Media, Big Data, Mobile Platforms, Enterprise, Insider Threat, Scientific Infrastructure, Smart Homes, Smart Cities, Smart Cars etcetera WORLD CLASS LABS FlexCloud Flex Farm FOUNDATIONAL TECHNOLOGIES Access Control, Policy, Malware, Forensics, Blockchain, Artificial Intelligence, Machine Learning, Data Provenance, Formal Methods etcetera Goal: Broaden and Deepen © Ravi Sandhu World-Leading Research with Real-World Impact!
Cloud-Enabled IoT (CE-IoT) a) Access Control Oriented (ACO) Architecture b) Enhanced ACO (E-ACO) Architecture © Ravi Sandhu World-Leading Research with Real-World Impact!
CE-IoT Enforcement Model Certificate and Crypto Based Communication control Attribute-Based Communication Control CCP Bandwidth and Latency User-Centric Privacy CCP CCP © Ravi Sandhu World-Leading Research with Real-World Impact!